TECHNOLOGY
TRAINING
PROGRAMME
COURSE MATERIAL
MODULE – I I
Board of Studies
The Institute of Chartered Accountants of India,
New Delhi
The objective of this background material is to provide uniform reference material to the
students undergoing 100 hours Advanced Information Technology Training.
All attempts have been made to make the discussion simple and comprehensive. Students may
note that the material has been prepared with an objective to help them in acquiring requisite
knowledge and skills in the subject and gain hands on experience.
This is also expected to serve as a source of reference book in their future education and training.
In case students have any suggestions to make for further improvement of the material contained
herein, they may write to Board of Studies or ITT Section, IT Directorate, ICAI Bhawan, A-29,
Sector–62, Noida. Queries can also be sent to: indu.itt@icai.in
All care has been taken to provide the material in a manner useful to the students. However
WKH PDWHULDO KDV QRW EHHQ VSHFLÀFDOO\ GLVFXVVHG E\ WKH &RXQFLO RI WKH ,QVWLWXWH RU DQ\ RI LWV
Committees and the views expressed herein may not be taken to necessarily represent the views
of the Council or any of its Committees.
All rights reserved. No part of this publication may be reproduced, stored in a retrieval system
or transmitted, in any forms or by any means, electronic, mechanical, photocopying, recording
or otherwise, without prior permission, in writing, from the Institute.
E-mail : indu.itt@icai.in
Website : www.icai.org
ISBN : 978-81-8441-717-3
UNIT-6 : OFFICE AUTOMATION APPLICATION AND IT SECURITY IN A CA’s OFFICE .............. 219
1 INTRODUCTION TO CAAT
LEARNING OBJECTIVES
The learning objectives of the CAAT module are:
Understand how to use office automation software for performing various tasks as relevant to
services provided by chartered accountant in areas of accounting, assurance and compliance.
How to use CAAT/SQL queries for data analysis as required.
How to review controls implemented at various levels/layers such as: Parameters, user creation,
granting of access rights, input, processing and output controls in enterprise applications
1.1 Introduction
Auditors deal with information in myriad ways encompassing the areas of accounting, assurance, consulting
and compliance and most of this information is now available in electronic form. This is true not only in case of
large and medium enterprises but even in small enterprises. In case there are enterprises who have still not
adapted the digital way, then it is an opportunity for Auditors to help such enterprises to ride the digital wave.
Hence, it has become critical for Auditors to understand and use information technology as relevant for the
services we provide. It is rightly said: “one cannot audit data which is flying in bits and bytes by using the
ancient method of riding on a horse back”. We are living in a knowledge era where the skill sets are keys to
harnessing the power of technology to be effective as knowledge workers. Computer Assisted Audit Techniques
(CAATs) refers to using technology for increasing the effectiveness and efficiency of auditing. CAATs enable
auditors to do more with less and add value through the assurance process which is more robust and
comprehensive. This chapter provides an overview of the process, approach and techniques which could be
used across various technology platforms and in diverse enterprises.
implement e-Governance initiatives to improve speed, access and transparency of services. The Information
Technology (IT) Act 2000 with IT Amendment Act 2008 and IT rules 2011 provide the regulatory framework
and mechanism for recognizing electronic records and electronic transactions thereby facilitating ecommerce
and also identifying cybercrimes and providing penalties and compensation for them. Hence, we can expect IT
usage to only keep growing in the near future impacting all areas of life more so in our work as professionals.
1. Absence of input documents or lack of a visible paper trail may require the use of CAATs in the
application of compliance and substantive procedures.
2. Need for obtaining sufficient, relevant and useful evidence from the IT applications or database as per
audit objectives.
3. Ensuring audit findings and conclusions are supported by appropriate analysis and interpretation of the
evidence
4. Need to access information from systems having different hardware and software environments, different
data structure, record formats, processing functions in a commonly usable format.
5. Need to increased audit quality and comply with auditing standards.
6. Need to identify materiality, risk and significance in an IT environment.
7. Improving the efficiency and effectiveness of the audit process.
8. Ensuring better audit planning and management of audit resources.
5. Obtain control totals of all the key data and compare with totals from the raw data to ensure all records
have been properly obtained. This can be performed by importing the data in audit software and
reviewing the statistics of all the key fields.
7. Existence of records: Identify fields, which have null values. For example: invoices which do not have
vendor name.
8. Data completeness: Identify whether all fields have valid data. For example: null values in any key field
such as date, invoice number or value or name.
9. Data consistency: Identify data, which are not consistent with the regular format. For example: invoices
which are not in the required sequence.
10. Duplicate payments: Establish relationship between two or more tables as required. For example
duplicate payment for same invoice.
11. Inventory obsolescence: Sort inventory based on data of purchase or categories as per specified aging
criteria or period and identify inventory which has become obsolete.
12. Accounts exceeding authorized limit: Identify data beyond specified limit. For example,
transactions entered by user beyond their authorized limit or payment to vendor beyond amount due or
overdraft allowed beyond limit.
Summary
CAATs enable auditors to use computers as a tool to audit electronic data. CAATs provide auditors access to
data in the medium in which it is stored, eliminating the boundaries of how the data can be audited. As auditors
start using CAATs, they will be in a better position to have a considerable impact on their audit and auditee as
more time is spent on analysis and less time on routine verification. It is important to understand the client IT
environment and chart out which techniques of CAAT could be used. Initially, time needs to be invested in this
Endeavour but once the audit plan is prepared based on the IT environment as per audit scope, re-use
becomes easier. However, the audit plan and tests need to be updated based on changes in the IT environment
as relevant. Using CAATs provides greater assurance of audit process to the auditor and also to the auditee.
The key to using CAAT is recognizing the need, learning how to use CAATs and using them in practical
situations.
Planning
Documentation should include:
x CAATs objectives
x CAATs to be used
x Controls to be exercised
x Staffing and timing
Execution
Documentation should include:
x CAATs preparation and testing procedures and controls
x Details of the tests performed by the CAATs
x Details of inputs (e.g., data used, file layouts), testing periods, processing (e.g., CAATs high-level
flowcharts, logic) and outputs (e.g., log files, reports)
x Listing of relevant parameters or source code
Audit Evidence
Documentation should include:
x Output produced
x Description of the audit analysis work performed on the output
x Audit findings
x Audit conclusions
x Audit recommendations
In audits where CAAT is used, it is advisable that the audit report includes a clear description of the CAATs
used in the objectives, scope and methodology section. The description of CAATs used should also be included
in the body of the report, where the specific finding relating to the use of CAATs is discussed. This description
should not be overly detailed, but it should provide a good overview for the reader.
x Re-calculation: All the computations which were done electronically by the application software used in
the enterprise can be independently validated by re-performing the computations. For example, Tax
deducted at source or VAT charged on sales, interest computation, etc. can be re-computed in CAAT
software and validated with the computed totals from the original application software to confirm
correctness of processing of transactions.
x Computation: using CAAT software, it is possible to compute totals to confirm correctness. For example,
the VAT payments made for the year can be total in CAAT software to compare with the total payments
as per VAT returns. The interest debited can be computed and compared with actual debit to interest a/c
for the year.
x Analytical procedures: Based on the data available in electronic format, various analytical procedures
can be performed by comparing and relating various aspects of financial and on-financial information.
unit is selected for examination. This method systematically weights the selection in favour of the larger
amounts but still gives every monetary value an equal opportunity for selection. Another example includes
selecting every ‘nth sampling unit
Non-statistical sampling methods are:
x Haphazard sampling—The IS auditor selects the sample without following a structured technique, while
avoiding any conscious bias or predictability. However, analysis of a haphazard sample should not be relied
upon to form a conclusion on the population
x Judgmental sampling—The IS auditor places a bias on the sample (e.g., all sampling units over a
certain value, all for a specific type of exception, all negatives, all new users). It should be noted that a
judgmental sample is not statistically based and results should not be extrapolated over the population as the
sample is unlikely to be representative of the population.
Auditor should select sample items in such a way that the sample is expected to be representative of the
population regarding the characteristics being tested, i.e., using statistical sampling methods. To maintain audit
independence, the IS auditor should ensure that the population is complete and control the selection of the
sample. For a sample to be representative of the population, all sampling units in the population should have an
equal or known probability of being selected, i.e., statistical sampling methods.
LEARNING OBJECTIVES
To gain understanding on Importing different file formats into IDEA.
To understand on how to generate field statistics for the database.
To understand formatting Data.
There are many audit software available in the market. However, for the purpose of learning CAATs, we will be
using IDEA software in this chapter and also for performing exercises in the lab. Students may refer to the ICAI
publication titled: “Practical application of CAAT –case studies” for more examples and details of CAATs using
IDEA Software.
(a) In the Import Assistant Dialog Box, select Microsoft Access from the list.
(b) Click the Browse button next to the File namebox to select the Microsoft Access database you want to
Import.
(c) Navigate to and select C:\Program Files\IDEA\UserFiles\Tutorial\Customer.MDB.
(d) Click Open.
(e) The Select File dialog box closes and the selected file name and path appear in the File namebox inthe
Import Assistant dialog box.
(f) Click Next.
The Microsoft Access dialog box appears.
(h) All Character fields will be imported with a length of 255 characters unless changed. This is not likely to
be the underlying Character field length. Therefore, leave the Scan records for field length check box
selected. Also, accept the default value in the Scan only box in order to scan 10,000 records to
determine the maximum field length.
(i) Accept the default output file name (Customer), and then click OK. When the file is imported, the
database name becomes filename-tablename. In this case, the file you imported becomes an IDEA
database called Customer-Database.
Function Description
You can use the Export Database task to create an external file from an IDEA database so that you can use the
data in other applications, such as a spreadsheet package. IDEA exports data in a number of text, database,
spreadsheet, and mail merge formats.
You can use the Export Database task to create an external file from an IDEA database so that you can use the
data in other applications, such as a spreadsheet package. You can also use Copy and Paste to incorporate
portions of text or sections of database into other Windows applications. IDEA also supports drag and drop into
any other OLE2 container application, such as Microsoft Excel. IDEA exports data in a number of text,
database, spreadsheet, and mail merge formats.
3.3 Summarization
Learning Objectives:
To total the sales transaction by INVOICENO to produce a list of outstanding Sales as well as to identify the
number of INVOICENO and the Sales per INVOICENO.
Function Description
Summarization accumulates the values of Numeric fields for each unique key. For example, summarizing an
Accounts Payable database by account number (the key) and totalling invoice amounts produces a database or
Location
x Analysis > Summarization
(b) Click Fields. The Fields dialog box appears. Note that no fields are selected. This stops unnecessary
information from being included in the summarized database.
(c) Click OK to return to the Summarization dialog box.
Select the Use Quick Summarization check box. The Use Quick Summarization check box may be selected
as a faster means to summarize your database. However, Quick Summarization may only be used if the
database has no more than 4,000 unique keys. In addition, Quick Summarization allows you to select only one
field to summarize.
There are two types of output from the Summarization task:
x Summarization database
x Summarization result
Note that as with most tasks in IDEA, you may apply a criterion to the task, for example; only summarize
transactions for a specified period. As with all other tasks where you can apply a criterion, if you apply the
criterion to the database using the Criteria link in the Properties window, the criterion equation appears in the
Criteria text box on the task dialog box. However, you may enter a new criterion or modify an existing one
using the Equation Editor as shown in Fig 3.3.2.
automatically creates an Action Field link to the parent database (Sales Transactions). It allows you to display
the records from the Sales Transactions database by clicking on a value (in blue) in the NO_OF_RECS field
as shown in Fig 3.3.3.
3.4 Statistics
Learning Objectives
x Understanding to view the field statistics for the Numeric fields in the active database.
x The statistics is used for reconciling totals, obtaining a general understanding of the ranges of values in
the database, and highlighting potential errors and the area of weakness to focus subsequent tasks.
Function Description
The Field Statistics property provides statistical information about all Numeric, Date, and Time fields within the
active database. The field statistics are available and displayed for all records in the database, with any applied
criteria ignored.
By default, the Field Statistics window displays the statistics for Numeric fields. Ensure that Customer-
Database is the active database and the Data property is selected in the Properties window.
Below two Images displays statistics for Date and Time fields for current active database.
Statistics for Date Fields
3.5 Sampling
Learning Objectives
x To draw a number of records with fixed interval for testing.
x To select a random sample of records for testing.
x To extracts a random sample with a specified number of records from each of a series of bands.
Function Description
Sampling in IDEA is broadly statistical and probability-based.
The probability-based sampling techniques are: Systematic, Random and Stratified Random
The statistical sampling techniques are: Attribute, Classical Variable and Monetary Unit sampling
We will be covering examples of systematic and random sampling only in this training. Students may try other
forms of sampling in the lab exercise.
(a) In Selection Interval tab page, enter 10 for selection interval. This means it picks every 10th records
from 1 to 1000 records. Total records picked are 100.
(b) Click Ok.
Step 3: Result of Systematic Sampling
Location
x Sampling >Random.
x Alternatively, click the Random Record Sampling button on the Operations toolbar. The Random
Record Sampling dialog box appears as shown in Fig 3.5. 5
IDEA sets the defaults as the first and last records; in this case 1 and 999.
(d) Leave the Allow duplicate records check box unselected.
(e) In the File name box, enter Random Sales.
(f) On clicking Ok total 10 records are extracted from active database.
Random Sampling Result
3.6 Stratification
Learning Objectives
x To stratifying the data from the file into bands and gaining the profile of the data. The data can be
stratified based using the numeric, date or character field to select a random sample of records for testing.
Function Description
The process of stratification involves creating bands based on ranges of values (normally from the minimum to
the maximum values of one or more fields) and accumulating the records from the database into the
appropriate bands. By totaling the number of records and value of each band, you can gain a profile of the data
in the database. You can then investigate any deviations from expected trends. You may have up to 1,000
stratification bands. The stratification analysis is also useful for determining high and low cut-off values for
testing exceptional items.
A numeric stratification analysis can also be created for each unique value or key in a field by selecting that
field from the Group by drop down list. For example, you could produce a profile of sales for each salesperson.
This can potentially create an extremely large volume of output however the maximum number of groups that
will be displayed in the result is 80. If there are more than 80 groups, only the first 80 are displayed. Therefore,
there is an option to specify low and high cut-off values to restrict output. Only groups whose total value of
transactions is between the specified range are output.
To include all items in the stratification analysis, the bands should start less than the minimum value and the
upper band greater than the maximum value of all fields.
Date and Character stratification are different than Numeric Stratification in the sense that different fields are
totaled to the one used for banding.
Step by Step Procedure for performing Numeric Stratification
Ensure that Sales Transaction-Sales Trans is the active database.
Location
x Analysis >Stratification.
x Highlight the next three rows of the spreadsheet area to take the range to 50,500.
Exercises:
1. Use sample-employees file and perform numeric stratification on salary with various bands.
2. Use sample-employees and perform character stratification based on name.
3.7 Sorting
Learning Objectives
x To create a new database in which its records are physically sorted in a specified order.
Ensure that Sales Transaction-Sales Trans is the active database.
Location
x Data>Sort.
Function Description
The fields you select to sort the records by are known as keys. A sort order may contain up to eight keys. When
creating a sort order, the most significant field is selected first (primary key), followed by the next most
significant field, and so on down to the least significant field (secondary keys).
With the Sort task, a new database is created with the records in the sequence of the key. This new database is
a child database and appears in the File Explorer below the main database. Once you have sorted a database,
IDEA displays the records in the database in the sort order and updates the list in the Indices area of the
Properties window.
Sorted-Database
Function Description
IDEA includes two key functions to identify exceptions, irregularities, anomalies and errors.
These are: Duplicate Detection and Gap Detection
These functions assist the user to sift through large volumes of data and help pin-point specific duplicate
entries or specific missing entries. These also help the user obtain an assurance on all the data reviewed by it.
The duplicate or missing items identified can be taken up for testing after running the respective duplicate and
gap tests within IDEA.
Duplicate Detection and Gap Detection tests are standard passing tests which are run on every database right
at the (inception prior to detailed excepting and analytical testing within IDEA. The tests do not require much
querying experience and resemble plug-n-play tests. Both tests run largely on formatted sequential data fields
like Invoice Number, Purchase Order Number, Cheque Number, etc.
Step by Step Procedure for Duplicate Detection
Ensure that Sales Transaction-Sales Trans is the active database.
Location
x Analysis >Duplicate Key >Detection.
Duplicate Result
(a) In the resultant database of 8 transactions with DATE, INVOICENO and USERID duplicate values are
investigated.
3.10 Aging
Learning Objectives
x To age a selected database from a particular date for up to six specified intervals.These intervals can be
days, months, or years.
x To age the outstanding debts at the yearend in order to determine provisions required against bad debts.
Function Description
Aging function presents aged summaries of data. This summary may be based on the current date or a
specified cutoff date. Use the Aging task to age a selected database from a particular date for up to six
specified intervals. These intervals can be days, months, or years. For example, you can age the outstanding
debts at the yearend in order to determine provisions required against bad debts.
The most common use of the Aging task is with Accounts Receivable or Debtor Ledgers. However, also
consider using Aging on inventory databases (date of last movement) or on short-term loan databases.
The Aging task optionally produces:
x A detailed aging database
x A key summary database
x A Results output
Ensure that Sales Transaction-Sales Trans is the active database.
Location
x Analysis >Aging.
Function description
Extract selected data from a file for further investigation for creating a new file of logically selected records. For
example: you can use Direct Extraction to perform a single extraction on a database, or up to 50 separate
extractions with a single pass through the database.
Step by Step Procedure for Data Extraction
Ensure that Sales Transaction is the active database.
Location
x Data >Extractions >Direct Extraction.
(a) In the File Name column, replace the default file name with Sales Greater than 20,000.
(b) Click the Equation Editor Button, and then enter the equation SALES >= 20000.
(c) Click the Validate and Exit button to return to the Extract to File(s) dialog box.
(d) On clicking Ok creates a new child database with name Sales Greater than 20,000which contain records
where Sales is greater than 20,000.
errors, potential fraud, or other irregularities. If artificial values are present in the selected database, the
distribution of the digits may have a different shape, when viewed graphically, than the shape predicted by
Benford's Law.
A Benford's Law analysis is most effective on data:
x Comprised of similar sized values for similar phenomena.
x Without built-in minimum and maximum values.
x Without assigned numbers, such as bank accounts numbers and zip codes.
x With four or more digits.
Step by Step Procedure for using Benford’s Law function
Ensure that Sales Transaction is the active database.
Location
x Analysis >Benford's Law.
Function Description
Consolidation is the process of combining values from several ranges of data. Data can be consolidated by
Pivot Table.
Step by Step Procedure for reporting
Ensure that Sales Transaction is the active database.
Location
x Analysis>Pivot Table.
Functions
Use functions to perform more complex calculations and exception testing. You can use them for date
arithmetic, text searches, and some statistical operations. They are very similar in style and operation to
functions found in other software packages such as Microsoft Excel, Lotus 1-2-3, and dBASE. Each function
calculates a result based upon the parameters passed to the function. Parameters are passed in parentheses.
3.15 Reporting
Learning Objectives
x To generate a report for the current active database.
Function Description
You can use the reporting feature to generate various types of reports from idea.
Function Description
You can use this to modify the fields as required. Please note that making changes to a field through Field
Manipulation may cause any output based on that field (results, drill-downs, indices, views, etc) to appear
incorrect or become invalid. Results may be made valid again by returning the settings to what they were when
the result was created. To avoid this, instead of changing a field definition, append a new field to the database
with the required definition. For example, instead of changing the type of a field from Character to Numeric,
create a new Virtual Numeric field using @Val.
Select Data>Field Manipulation. Field Manipulation Dialog Box is opened.
Add a field
x Click Append.
x Enter the field definition:
x Field Name: A unique field name up to 40 characters in length that does not contain spaces or special
characters.
x Type: Click the Type text box to display the type options, and then select the required type.
x Length: The total length of the field in characters. IDEA automatically determines the length for Editable
Numeric fields.
x Decimal: If applicable, enter the number of decimal places. If the decimal is implied, enter 0. The
maximum number of decimals places allowed is six.
x Parameter: Click the Parameter field to invoke the Equation Editor.
x Tag Name: If you have Smart Analyzer installed, click the <No tag> link to add a tag.
x Description (optional): A brief description of the field. The maximum length of the description is 256
characters.
x Click Ok
Delete a field
Click in the row corresponding to the field to be deleted.
Click Delete.
Click Yes to confirm the deletion.
Note: As a security feature, by default, native fields cannot be deleted
Change a field type
Click the Type text box to display the type options, and then select the required type.
Notes:
• Virtual field types can only be changed to other Virtual field types. For example, a Virtual Character field
could be changed to a Virtual Date field.
• Field types cannot be changed for Editable, Boolean or Multistate fields; however the data within this
field in the database can be changed.
Change a field name
Click in the Field Name cell of the field name to be changed and enter the new name.
Exercise:
Use Sample-employees file and modify different field and understand the impact.
Questions
1. Computer Assisted Audit Techniques (CAATs) refers to using _________for increasing the effectiveness
and efficiency of auditing.
A. Technology
B. Standards
C. Documentation
D. Systematic Process
Answers
1. A 2. B 3. D 4. C
5. C 6. C 7. D 8. A
9. B 10. D 11. B 12. D
References
Below are sample list of references:
www.icai.org
www.isaca.org
www.auditnet.org
www.caseware-idea.org
www.acl.com
www.theiia.org